The Stream Cipher Rabbit1 Martin Boesgaard

Mette Vesterager Erik Zenner

Thomas Christensen

CRYPTICO A/S Fruebjergvej 3 2100 Copenhagen Denmark [email protected]

1

This is version 1.1 of the cipher specification as submitted to the eStream project. The only changes in comparison to version 1.0 are some additions to section 7 on computational efficiency and a new appendix A, which describes an 80-bit key setup.

Contents 1 Introduction

3

2 Stream Cipher Specification 2.1 Notation . . . . . . . . . . . . . 2.2 Key Setup Scheme . . . . . . . 2.3 IV Setup Scheme . . . . . . . . 2.4 Next-state Function . . . . . . 2.5 Counter System . . . . . . . . . 2.6 Extraction Scheme . . . . . . . 2.7 Encryption/decryption Scheme

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

3 Hidden Weaknesses 4 Security Properties 4.1 Key Setup Properties . 4.2 IV Setup Properties . 4.3 Period Length . . . . . 4.4 Partial Guessing . . . 4.5 Algebraic Attacks . . . 4.6 Correlation Attacks . . 4.7 Differential Analysis . 4.8 Statistical Tests . . . .

3 3 4 4 5 6 6 7 7

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

7 7 9 9 10 11 14 15 17

5 Strengths and Advantages 17 5.1 Compact design . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6 Design Rationale 6.1 Key and IV setup . . . 6.2 The g-function . . . . 6.3 The counter system . . 6.4 Symmetry and Mixing

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

18 18 18 19 19

7 Computational Efficiency 7.1 Software Performance . 7.2 Hardware Estimates . . 7.2.1 Area optimized . 7.2.2 Speed optimized

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

20 20 21 21 22

1

8 Advice for Implementers

23

A 80-bit Key Setup 26 A.1 Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . . 26 A.2 Proposed key setup . . . . . . . . . . . . . . . . . . . . . . . . 27 A.3 Security considerations . . . . . . . . . . . . . . . . . . . . . . 27

2

1

Introduction

Rabbit is a synchronous stream cipher that was first presented at the Fast Software Encryption workshop in 2003 [6]. Since then, an IV-setup function has been designed [19], and additional security analysis has been completed. No cryptographical weaknesses have been revealed until now. The Rabbit algorithm can briefly be described as follows. It takes a 128bit secret key and a 64-bit IV (if desired) as input and generates for each iteration an output block of 128 pseudo-random bits from a combination of the internal state bits. Encryption/decryption is done by XOR’ing the pseudo-random data with the plaintext/ciphertext. The size of the internal state is 513 bits divided between eight 32-bit state variables, eight 32-bit counters and one counter carry bit. The eight state variables are updated by eight coupled non-linear functions. The counters ensure a lower bound on the period length for the state variables. Rabbit was designed to be faster than commonly used ciphers and to justify a key size of 128 bits for encrypting up to 264 blocks of plaintext. This means that for an attacker who does not know the key, it should not be possible to distinguish up to 264 blocks of cipher output from the output of a truly random generator, using less steps than would be required for an exhaustive key search over 2128 keys.

2 2.1

Stream Cipher Specification Notation

We use the following notation: ⊕ denotes logical XOR, & denotes logical AND, and denote left and right logical bit-wise shift, ≪ and ≫ denote left and right bit-wise rotation, and denotes concatenation of two bit sequences. A[g..h] means bit number g through h of variable A. When numbering bits of variables, the least significant bit is denoted by 0. Hexadecimal numbers are prefixed by ”0x”. The internal state of the stream cipher consists of 513 bits. 512 bits are divided between eight 32-bit state variables xj,i and eight 32-bit counter variables cj,i , where xj,i is the state variable of subsystem j at iteration i, and cj,i denotes the corresponding counter variable. There is one counter carry bit, φ7,i , which needs to be stored between iterations. This counter carry bit is initialized to zero. The eight state variables and the eight counters are derived from the key at initialization.

3

2.2

Key Setup Scheme

The algorithm is initialized by expanding the 128-bit key into both the eight state variables and the eight counters such that there is a one-to-one correspondence between the key and the initial state variables, xj,0 , and the initial counters, cj,0 . The key, K [127..0] , is divided into eight subkeys: k0 = K [15..0] , k1 = K [31..16] , ... , k7 = K [127..112] . The state and counter variables are initialized from the subkeys as follows: ( k(j+1 mod 8) kj for j even (1) xj,0 = k(j+5 mod 8) k(j+4 mod 8) for j odd and cj,0 =

(

k(j+4 mod 8) k(j+5 mod kj k(j+1 mod 8)

8)

for j even for j odd.

(2)

The system is iterated four times, according to the next-state function defined in section 2.4, to diminish correlations between bits in the key and bits in the internal state variables. Finally, the counter variables are re-initialized according to: cj,4 = cj,4 ⊕ x(j+4 mod 8),4 (3) for all j, to prevent recovery of the key by inversion of the counter system.

2.3

IV Setup Scheme

Let the internal state after the key setup scheme be denoted the master state, and let a copy of this master state be modified according to the IV scheme. The IV setup scheme works by modifying the counter state as function of the IV. This is done by XORing the 64-bit IV on all the 256 bits of the counter state. The 64 bits of the IV are denoted IV [63..0] . The counters are modified as: c0,4 = c0,4 ⊕ IV [31..0]

c1,4 = c1,4 ⊕ (IV [63..48] IV [31..16] )

c2,4 = c2,4 ⊕ IV [63..32]

c3,4 = c3,4 ⊕ (IV [47..32] IV [15..0] )

c4,4 = c4,4 ⊕ IV [31..0]

c5,4 = c5,4 ⊕ (IV [63..48] IV [31..16] )

c6,4 = c6,4 ⊕ IV [63..32]

c7,4 = c7,4 ⊕ (IV [47..32] IV [15..0] ).

(4)

The system is then iterated four times to make all state bits non-linearly dependent on all IV bits. The modification of the counter by the IV guarantees that all 264 different IVs will lead to unique keystreams. 4

2.4

Next-state Function

The core of the Rabbit algorithm is the iteration of the system defined by the following equations: x0,i+1 = g0,i + (g7,i ≪ 16) + (g6,i ≪ 16) x1,i+1 = g1,i + (g0,i ≪ 8) + g7,i x2,i+1 = g2,i + (g1,i ≪ 16) + (g0,i ≪ 16) x3,i+1 = g3,i + (g2,i ≪ 8) + g1,i x4,i+1 = g4,i + (g3,i ≪ 16) + (g2,i ≪ 16)

(5)

x5,i+1 = g5,i + (g4,i ≪ 8) + g3,i x6,i+1 = g6,i + (g5,i ≪ 16) + (g4,i ≪ 16) x7,i+1 = g7,i + (g6,i ≪ 8) + g5,i gj,i = (xj,i + cj,i+1 )2 ⊕ ((xj,i + cj,i+1 )2 32) mod 232

(6)

where all additions are modulo 232 . This coupled system is illustrated in Fig. 1. Before an iteration the counters are incremented as described below.

c0,i

c1,i x0,i

c7,i

Mette Vesterager Erik Zenner

Thomas Christensen

CRYPTICO A/S Fruebjergvej 3 2100 Copenhagen Denmark [email protected]

1

This is version 1.1 of the cipher specification as submitted to the eStream project. The only changes in comparison to version 1.0 are some additions to section 7 on computational efficiency and a new appendix A, which describes an 80-bit key setup.

Contents 1 Introduction

3

2 Stream Cipher Specification 2.1 Notation . . . . . . . . . . . . . 2.2 Key Setup Scheme . . . . . . . 2.3 IV Setup Scheme . . . . . . . . 2.4 Next-state Function . . . . . . 2.5 Counter System . . . . . . . . . 2.6 Extraction Scheme . . . . . . . 2.7 Encryption/decryption Scheme

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

3 Hidden Weaknesses 4 Security Properties 4.1 Key Setup Properties . 4.2 IV Setup Properties . 4.3 Period Length . . . . . 4.4 Partial Guessing . . . 4.5 Algebraic Attacks . . . 4.6 Correlation Attacks . . 4.7 Differential Analysis . 4.8 Statistical Tests . . . .

3 3 4 4 5 6 6 7 7

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

7 7 9 9 10 11 14 15 17

5 Strengths and Advantages 17 5.1 Compact design . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6 Design Rationale 6.1 Key and IV setup . . . 6.2 The g-function . . . . 6.3 The counter system . . 6.4 Symmetry and Mixing

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

18 18 18 19 19

7 Computational Efficiency 7.1 Software Performance . 7.2 Hardware Estimates . . 7.2.1 Area optimized . 7.2.2 Speed optimized

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

20 20 21 21 22

1

8 Advice for Implementers

23

A 80-bit Key Setup 26 A.1 Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . . 26 A.2 Proposed key setup . . . . . . . . . . . . . . . . . . . . . . . . 27 A.3 Security considerations . . . . . . . . . . . . . . . . . . . . . . 27

2

1

Introduction

Rabbit is a synchronous stream cipher that was first presented at the Fast Software Encryption workshop in 2003 [6]. Since then, an IV-setup function has been designed [19], and additional security analysis has been completed. No cryptographical weaknesses have been revealed until now. The Rabbit algorithm can briefly be described as follows. It takes a 128bit secret key and a 64-bit IV (if desired) as input and generates for each iteration an output block of 128 pseudo-random bits from a combination of the internal state bits. Encryption/decryption is done by XOR’ing the pseudo-random data with the plaintext/ciphertext. The size of the internal state is 513 bits divided between eight 32-bit state variables, eight 32-bit counters and one counter carry bit. The eight state variables are updated by eight coupled non-linear functions. The counters ensure a lower bound on the period length for the state variables. Rabbit was designed to be faster than commonly used ciphers and to justify a key size of 128 bits for encrypting up to 264 blocks of plaintext. This means that for an attacker who does not know the key, it should not be possible to distinguish up to 264 blocks of cipher output from the output of a truly random generator, using less steps than would be required for an exhaustive key search over 2128 keys.

2 2.1

Stream Cipher Specification Notation

We use the following notation: ⊕ denotes logical XOR, & denotes logical AND, and denote left and right logical bit-wise shift, ≪ and ≫ denote left and right bit-wise rotation, and denotes concatenation of two bit sequences. A[g..h] means bit number g through h of variable A. When numbering bits of variables, the least significant bit is denoted by 0. Hexadecimal numbers are prefixed by ”0x”. The internal state of the stream cipher consists of 513 bits. 512 bits are divided between eight 32-bit state variables xj,i and eight 32-bit counter variables cj,i , where xj,i is the state variable of subsystem j at iteration i, and cj,i denotes the corresponding counter variable. There is one counter carry bit, φ7,i , which needs to be stored between iterations. This counter carry bit is initialized to zero. The eight state variables and the eight counters are derived from the key at initialization.

3

2.2

Key Setup Scheme

The algorithm is initialized by expanding the 128-bit key into both the eight state variables and the eight counters such that there is a one-to-one correspondence between the key and the initial state variables, xj,0 , and the initial counters, cj,0 . The key, K [127..0] , is divided into eight subkeys: k0 = K [15..0] , k1 = K [31..16] , ... , k7 = K [127..112] . The state and counter variables are initialized from the subkeys as follows: ( k(j+1 mod 8) kj for j even (1) xj,0 = k(j+5 mod 8) k(j+4 mod 8) for j odd and cj,0 =

(

k(j+4 mod 8) k(j+5 mod kj k(j+1 mod 8)

8)

for j even for j odd.

(2)

The system is iterated four times, according to the next-state function defined in section 2.4, to diminish correlations between bits in the key and bits in the internal state variables. Finally, the counter variables are re-initialized according to: cj,4 = cj,4 ⊕ x(j+4 mod 8),4 (3) for all j, to prevent recovery of the key by inversion of the counter system.

2.3

IV Setup Scheme

Let the internal state after the key setup scheme be denoted the master state, and let a copy of this master state be modified according to the IV scheme. The IV setup scheme works by modifying the counter state as function of the IV. This is done by XORing the 64-bit IV on all the 256 bits of the counter state. The 64 bits of the IV are denoted IV [63..0] . The counters are modified as: c0,4 = c0,4 ⊕ IV [31..0]

c1,4 = c1,4 ⊕ (IV [63..48] IV [31..16] )

c2,4 = c2,4 ⊕ IV [63..32]

c3,4 = c3,4 ⊕ (IV [47..32] IV [15..0] )

c4,4 = c4,4 ⊕ IV [31..0]

c5,4 = c5,4 ⊕ (IV [63..48] IV [31..16] )

c6,4 = c6,4 ⊕ IV [63..32]

c7,4 = c7,4 ⊕ (IV [47..32] IV [15..0] ).

(4)

The system is then iterated four times to make all state bits non-linearly dependent on all IV bits. The modification of the counter by the IV guarantees that all 264 different IVs will lead to unique keystreams. 4

2.4

Next-state Function

The core of the Rabbit algorithm is the iteration of the system defined by the following equations: x0,i+1 = g0,i + (g7,i ≪ 16) + (g6,i ≪ 16) x1,i+1 = g1,i + (g0,i ≪ 8) + g7,i x2,i+1 = g2,i + (g1,i ≪ 16) + (g0,i ≪ 16) x3,i+1 = g3,i + (g2,i ≪ 8) + g1,i x4,i+1 = g4,i + (g3,i ≪ 16) + (g2,i ≪ 16)

(5)

x5,i+1 = g5,i + (g4,i ≪ 8) + g3,i x6,i+1 = g6,i + (g5,i ≪ 16) + (g4,i ≪ 16) x7,i+1 = g7,i + (g6,i ≪ 8) + g5,i gj,i = (xj,i + cj,i+1 )2 ⊕ ((xj,i + cj,i+1 )2 32) mod 232

(6)

where all additions are modulo 232 . This coupled system is illustrated in Fig. 1. Before an iteration the counters are incremented as described below.

c0,i

c1,i x0,i

c7,i